Bleeping Computer is reporting today that a new threat is focusing on web servers, network drives and removable drives to turn them into Minero miners. There isn't any mention of data exfil or any ransom-based attacks, this is strictly for mining cryptocurrency, which means this malware will be using up your system resources if infected.

BlackSquid is using a combination of exploits to get into systems and to spread.

Text

Security researchers found exploits for different vulnerabilities. One of them is NSA's EternalBlue, three are for multiple ThinkPHP versions; another three are for getting remote code execution via CVE-2014-6287 (affects Rejetto HFS), CVE-2017-12615 (affects Apache Tomcat), and CVE-2017-8464 (affects Windows Shell), research from Trend Micro reports.

This is also employing anti-research techniques, such as looking for VM or sandbox indicators, or code break-points. These are common with researches to reverse-engineer malware. Once it detects an "unsafe" environment, it stops processing commands and won't run any of it's bag of tricks to keep researches from figuring it out.

Text

According to Trend Micro, BlackSquid infects web servers through exploits for web applications. Using the GetTickCount API, it pokes around for live IP addresses and targets them with the exploits it incorporates and brute-force action.

If you're running a web server, make sure it's locked down and preferably in a DMZ to prevent spread.

We don't have any publicly accessible web servers that we are responsible for maintaining but still good to know in case one of our service providers is affected.

If I saw something like this running on one of our servers and, for some reason, I couldn't stop it from running, I'd be setting it to run at the to the lowest possible process priority level (or the greatest "nice" value in the case of Linux environments).

Bleeping Computer is reporting today that a new threat is focusing on web servers, network drives and removable drives to turn them into Minero miners. There isn't any mention of data exfil or any ransom-based attacks, this is strictly for mining cryptocurrency, which means this malware will be using up your system resources if infected.

BlackSquid is using a combination of exploits to get into systems and to spread.

Text

Security researchers found exploits for different vulnerabilities. One of them is NSA's EternalBlue, three are for multiple ThinkPHP versions; another three are for getting remote code execution via CVE-2014-6287 (affects Rejetto HFS), CVE-2017-12615 (affects Apache Tomcat), and CVE-2017-8464 (affects Windows Shell), research from Trend Micro reports.

This is also employing anti-research techniques, such as looking for VM or sandbox indicators, or code break-points. These are common with researches to reverse-engineer malware. Once it detects an "unsafe" environment, it stops processing commands and won't run any of it's bag of tricks to keep researches from figuring it out.

Text

According to Trend Micro, BlackSquid infects web servers through exploits for web applications. Using the GetTickCount API, it pokes around for live IP addresses and targets them with the exploits it incorporates and brute-force action.

If you're running a web server, make sure it's locked down and preferably in a DMZ to prevent spread.

From a detection and mitigation standpoint, patching these should be considered on a risk tolerant standpoint for your organisation, in accordance with any patch management policies and/or standards. Do consider detective and compensating controls/measures on your NIDS/NIPS/WAF and if signatures are in place for detection of those and their actions (drop, alert, etc). Also consider any endpoint detection solutions that monitor for processes, typically command interpreters and the like which spawn from your web services.

If all my Web servers are sandboxed and in VMs already does that mean it just won't work anyway? lol not exactly the best way to do it but I'll take it, better than nothing, not that I don't have other security measures.

This is also employing anti-research techniques, such as looking for VM or sandbox indicators, or code break-points. These are common with researches to reverse-engineer malware. Once it detects an "unsafe" environment, it stops processing commands and won't run any of it's bag of tricks to keep researches from figuring it out.

Malware that won't run in a VM but targets webservers? Our only physical servers are our domain controllers and our VM hosts... I have a feeling this is going to fall flat if it tries to target larger enterprises.

Malware that won't run in a VM but targets webservers? Our only physical servers are our domain controllers and our VM hosts... I have a feeling this is going to fall flat if it tries to target larger enterprises.

I'm assuming that there's more going on under the hood than that, safe to assume that the creators intended for it to be able to run on VM's but would acknowledge honeypots. I would assume it would be able to review connections and beyond so that a server acting as a webserver with actual traffic vs a honeypot sitting stagnant with no real use is going to get discarded.

So... find it on your servers, re-engineer it to report back to their C&C that all is well, but... change the Monero account to yours.... They leave you alone because they think it's already infected, and you get the benefit.

And with the resources on my web servers, all combined together, I'd have enough to buy myself a decent beer in about 4 years. Hey, not going to settle for cheap beer, y'know.